#23559: Staff (not superusers) should not manage perms of Users
-------------------------------+--------------------
Reporter: Tuttle | Owner: nobody
Type: New feature | Status: new
Component: contrib.admin | Version:
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
In our project we want to let some colleagues to see and modify several
tables including the Users table. Nevertheless I don't want the colleague
to be able to elevate his or anybody else's privileges.
May I submit little change of {{{UserAdmin}}} similar to the following for
consideration?
{{{#!python
def get_readonly_fields(self, request, obj=None):
rof = super(UserAdmin, self).get_readonly_fields(request, obj)
if not request.user.is_superuser:
rof += ('is_staff', 'is_superuser', 'groups', 'user_permissions')
return rof
}}}
I rather doubt there is a use-case for current behaviour: Once the access
to Users table is given, one can do anything.
In case the behavior change will get rejected, how about to add it as a
tip in the doc?
--
Ticket URL: <https://code.djangoproject.com/ticket/23559>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/049.47def20c3fc145fec8e7de28465d45ce%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
